This weblog is about the technologies I explore, algorithms I develop, Howto's on Various Softwares etc, interspersed with some humor

First Get Open SSL installed on the server
sudo apt-get install openssl
This will install the latest openssl library that is been tested on the Ubuntu server version you are using. For example, if your are using 7.07, the above command will install openssl0.98 version. If you want to install any other version then you have to specify the exact version name while you installCreating a Self-Signed ( Private) Root Certificate
A brief primer on certificates in Layman terms.
Suppose let us say that a Client C wants to access a Server S for some transaction. Now Client C wants to make sure that it is indeed connecting to Server S. There are many ways to do it but most common way is through Digital Certificates. I dont want to get into details of the theory behind the technologies behind Digital Certificates. Let us assume that Server S and Client C has a digital certificate. Now Client C connects to the Server S and Server S sends its certificate. But the catch here is that how can Client C trust that Server S is indeed what it claims to be. If Client C and Server S are known to each other, then there is trust established. In a scenario, where Client C and Server S do not know each other, a third party ( Certificate Authority CA) who is trusted by both Client C and Server S will establish the trust.Difference Between Self-signed Certificates and Authorized Certifiers
The main difference is that in self-signed Certificates, there is no third party involved. So if you are connecting to a Server that you do not trust, you are at risk. There is absolutely no difference in the Certificates you privately sign and the one signed by authorized certifiers like Verizone. (Note: Assuming that you create the certificates properly ) When Can use Self-Signed Certificates and When to go for Commercial Certificates
As i said earlier, when Client C knows the Server S, then you can go for Self-signed certificates. When i say “know” i mean either you own Client C and Server S or Server S is maintained by someone you personally know. For others, i personally feel you should go for a commercial certificates.What are the steps involved in creating self-signed authority

Here is the very simple way of creating a Self signed certificate.

enter the command as follows to generate a certificate valid for 365 days sudo apache2-ssl-certificate -days 365
The program asks for few inputs. Please enter as required. It is shown below

(NOTE: Ubuntu Feisty has a bug where the command apache2-ssl-certificate is missing. This is a well documented bug. Here is the file you need to download to overcome this defect to create a self signed certificate. After you download, follow the notes below to copy the downloaded files to the location where they are supposed to be present. Extract the package and put ssleay.cnf to /usr/share/apache2/ and apache2-ssl-certificate to /usr/sbin. Create /etc/apache2/ssl directory. Then apache2-ssl-certificate script should work.)

Once you have your certificate ready, then you need to configure you apache2.conf file. In this case, the configuration is very simple. Here is an example on how to do it:NameVirtualHost *:443 <VirtualHost *:443> ServerAdmin webmaster@localhost ServerName securedomain ServerAlias securedomain www.domain3.comDocumentRoot /var/www/ssl_securearea

SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem

<Directory /var/www/ssl_securearea> Options -Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> </VirtualHost>
above i have shown the whole virtual host configuration to be complete. But i hope you get an idea where to put it.

Note:This write up describes how i wished to run my Home server and how i did it. Hence the description heavily focuses on settings that are very specific to my requirements. However, you can find bits and pieces that may be usefult to you.How i want to Run My Homeserver
Homeserver Shall Serve the Following

Have three virtual hosts, each of them serving different audiences. One of the three is purely https host for server admin remotely.

Redirect to a SSL connection and with a Basic User/Group authentication system when anyone access the File Respositry and Image Gallery link on my home page

Home server Adminstration will be allowed only with in the Local Internet. Like PhpMyAdmin and Blog Configuration.

How i went about setting up the Home Server to achieve my Goal?

Installing the LAMP stack

I installed Ubuntu Server Edition. Ubuntu Server edition provides an option to install LAMP stact during the installation phase. Choose this option as it saves you the trouble of configuring later.

2. Setting up the Root password for MYSQL database

The default installation of LAMP stack will not set the Root password for the MYSQL Database. It is essential that you set the Root password or you will not be able to create any database or create databases from PHPMYADMIN.

3. Installing PhpMyAdmin

Ubuntu has a nice way of installing new packages. All i did was:
sudo apt-get update
sudo apt-get install phpmyadmin
Voila!! PhpMyAdmin was downloaded from ubuntu site and installed automatically. Automatic installation has one limitation though. PhpMyAdmin is linked to your DocumentRoot of Apache.
That is if the Document Root is /var/www. then a symbolic link to PhpMyAdmin is created in /var/www.
So if a anyone can access php just by typing www.yourdomain.com/phpmyadmin. The phpmyadmin user interface shows up. Hence you need to be careful. Please read further down how i am handling the phpmyadmin feature.

4. Creating Directory structures

This is not necessary if you are a casual user or an enthusiast. But if you are about running your own server either in home or in data centers, then i would strongly recommend to put some thoughts on the Directory structures, users and groups. There are no set rules that the directories needs to be in particular order.
This is the way i am doing it:
Each virtual Host will have its own Document root pointing to seperate location as shown below.
The default directory is
/var/www
…………./default
The default catches all those requests where no signle VHost can serve. This could happen if someone connects to your IP address at Port 80. Since there will be no Host header, Apache will serve from this default root. Other could some one has configured a domain name that resolves to your IP address. In this case, you would not have that domainname in your VHOST, and hence apache will serve from default root. More about Vhosts below.
Now, the Virtual Host directories. I am configuring Two Virtual Hosts.It is a good idea to create directories in the Home directory of the user who hosts that domain.
/home/”username”
……………………/”domainname1″/www
……………………………………………./cgibin
……………………………………………../securearea ( Secure using a htpassword )
…………………………………………………………../MediaStore/photos ( Symbolic Link )
……………………………………………………………/MediaStore/videos ( Symbolic Link )

/home/”username”

……………………/”domainname2″/www

……………………………………………./cgibin

……………………………………………../securearea ( Secure using a htpassword )

……………………………………………………………/MediaStore/videos ( Symbolic Link )

Now setup a Secure area for system admin over internet. This area could be used for running PhpMyAdmin, or a file valut or some thing you want absolute security.The following is only via SSL

You may notice that the way i have created the directory structure is to seperate your secure area and Non-secure area. For me this is very important as i am overly security consiuos. So ssl_securearea can only be accessed by https and authentication. Securearea under the virtual host is a place where you want to have some kind of user athuentication to maintain your privacy but still contents are not classified in nature. Say, your photo album. You dont want any tom,dick and harry see it. And hence you have some basic athuentication. But at the same time you dont want your photos be encrypted/decrypted before the user sees.5.VHOSTS Configuration
Before we jump into Vhost configuration some basic understanding of Hostname, domain name, FQDN ( Fully qualified Domain name ) , CNAME alias is required. This post assumes that you have an understanding of this. VHOST configuration can be daunting if you have not set up your machine properly. i nearly spent 2 days to get it setup properly.
I am going to explain with an example. This example is based on how i configured my system with the hostname and domain names changed .Linux Host Name : HomeServerDomain Name For First Virtual Host: www.domain1.com

First make sure that HomeServer is configured properly in your setup. When you type the command hostname, you should Get “HomeServer”. When you do a ping `hostname`, the hostname should resolve to either 127.0.1.1 or the static address you have configured for your interface or the DHCP address provided by your DHCP server. In my case, and most probably your case as well, it resolves to 127.0.1.1. if it does not resolve than please check your network setup.
These are the areas you my need to check for trouble shooting

/etc/hosts
/etc/resolve.conf
/etc/hostname

Second make sure that your aliases and domain names are resolvable. In my case, and in most case, domain names are hosted outside so DNS resloving is not an issue. But the issue could alias resolving. All the alias i have mentioned above is for local use only. In my case, the router i have allowed me to configure these alias name and its IP address. If not, then you have to change your /etc/hosts file as follows
127.0.1.1 localdomain1
127.0.1.1 localdomain2
127.0.1.1 securedomain
Now you are set to configure your apache2.conf for virtual hosts.

A word before we jump into that. If you notice, for each virtual host i have a domain alias as well. I did this for two reasons. And i encourage others as well. One is that if i want to access my virtual host with in my netowrk, that is behind the firewall, then i just use local alias rather than using the fully qualified domain name. Some of the router, the one i have, does not even allow to access my local machine via a fully qualified domain name. Second, when you are configuring your virtual hosts, i assign these alias to the ServerName directive. As you might know, when apache reads the configuration file, it does host name resolution to resolve all hostnames into IP address. Irrespetive of whether your DNS host is up or down, apache will be able to resolve the alias names as these are locally configured in your /etc/hosts file. Please read this article to know more about this issue.

This is for ubuntu Linux server .
Make sure your /etc/apache2/apache2.conf has the following lines at the end. ( By default it is present )# Include the virtual host configurations: Include /etc/apache2/sites-enabled/

Now all the vhost has been configured. You need to enable it. Use the ubuntu provided commands to enable the sites.
default is already enabled. So just enable others
sudo a2ensite www.domain1.com ( This is a filename. If you are using a different name, then use that name )
sudo a2ensite www.domain2.com ( Same as above )
sudo a2ensite www.domain3.com ( Same as above )
Also make sure rewrite engine is enabled.
sudo a2enmod rewrite
Also make sure that ssl engine is enabled
sudo a2enmod ssl
You are set to restart apache. Do as follows
/etc/init.d/apache2 reload
If there are no error, everything is done. If there is an error, please refer to apache documentation for trouble shooting. The following section has some trouble shooting info for few deciptive warnings that teased for 2 days.6. Troubleshooting VHost Configuration
The following warnings are deceptive. It does not break your Vhost configuration, but it hoses up the way Apache understands the Vhost configuration . So if you see the following warning signs, better resolve it.
Warning 1

apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName

This is becuase apache is unable to resolve the default hostname of the machine it is running on. To solve this problem, look at the first 5 lines in the “default” file configuration. I am cutting it and pasting it here for your referenceServerName HomeServer

This is becuase somewhere in your configuration file you have the same NameVirtualHost:* entered more than once. Apache document clearly state that you can only have one NameVirtualHost per IP address port combination. That is if you have NameVirtualHost *, then you cannot redefine it in some other place. It has to be a different combination. You can see in my securedomain configuration. The last is NameVirtualHost *:443 is ok, becuase it is different port. But i cannot repeat this defination again.

First, Netfilter, IPTables are huge subjects that requires lots of time and practice to master it and i don’t claim to be a master of this art. Hence, this post is targeted towards those people who subscribe to a Virtual Private Server (VPS) plan and need to secure their instance against unwanted intruders.
Even though Netfilter and IPTABLES are pretty involved subjects, it turns out that for filtering out unwanted packets it is pretty straight forward, at least in my case.
Before venturing into IPTABLE configuration, i would like to provide few links that i referred to setup my firewall rules.IPTABLE TutorialA Neat write up on securing Cent OSExample Filter Script
Here is the filter rule that I use. The filter rule must be in /etc/sysconfig/iptables for CentOS. i have tested it on CentOS only.

Now restart iptables service as follows in CentOS. This should be similar in other flavours as well.

$service iptables restart /* if you are a root*/
OR
$sudo service iptables restart /*if you have privilege to gain root permission*/

Test it outEnabling TCP WRAPPERS TO Add Another Layer of Security
Many network applications consults two files named hosts.deny and hosts.allow before granting access to the users who want to use those network applications. In securing linux, it is recommended to add several layers of security. So even if one is compromised, others could hold gaurd. TCP Wrappers is another layer of security against the network intruders.
Any application that consults these two files has the following flow:

if it does not match then hosts.deny is checked. If “service name:connection address” pari matches, then access is denied.

If it does not match in hosts.deny as well, then access is granted.

Here are the basic rules for hosts.allow

## hosts.allow This file describes the names of the hosts which are# allowed to use the local INET services, as decided# by the ‘/usr/sbin/tcpd’ server.#
#allow connection from 127.0.0.1 (localhost) to all INET servicesALL: 127.0.0.1
#Allow connection from all internet address to sshd servicesshd: ALL

Here are the basic rules for hosts.deny

# hosts.deny This file describes the names of the hosts which are# *not* allowed to use the local INET services, as decided# by the ‘/usr/sbin/tcpd’ server.#
#Simple Deny access from any address to any service. This is like “Deny first, allow required” #policyALL: ALL

I recently came across a website called www.grc.com. When you click on this link it will generate a ultra high secure WPA-PSK keys. Then you can cut and paste into your WIFI base stations and the computers that would like to join your network. I highly recommend this site if you have any Wireless/Network security concerns.

Also they have network port scanner which will scan how vulnerable your network is. I highly recommend you run the tool and close the holes in the firewall. Here is the link for this tool SheildsUp

This site also has software for recovering data from crashed hard drives. It is called SpinRite

WPA-PSK key need to be 256 bits in lenght. Somesoftware, allow the user to enter 256 Key directly by allowing to enter 64 Hexadecimal numbers. But many of them asks for a pass phrase that are between 8 to 63 character in lenght and then convert it into 256 bit Keylength.

This article briefly mentions how this is done.

A key derivation function named PBKDF2 from RSA securities is been standardised by the Wifi alliance for deriving the key from pass phrase.

PBKDF2 hashes with the SSID of the Access point that we want to join to produce the 256 bit key. The hash function used is SHA1-HMAC. SHA1 computes a 160 bit hash function. And HMAC creates the Message authentication function.

The SHA1-HMAC is iterated over 4096 time to produce the Key. To know more about SHA1 click SHA1 RFC. To knoe more about HMAC, clickHMAC RFC

After your installation of Linux, it is a better idea to do away with root account. This is part of making your system as secure as possible. Almost all Linux installations comes with a program named sudo that provides root privileges to normal users without knowing the root password. This way you can execute commands that are meant to be executed by root. Please follow the steps below to enable any user to obtain the root privileges:

Need to enable any user or group, who want to gain root privileges, in /etc/sudoers. The normal practice is to enable the users belonging to group wheel to run all root privileged commands.

/etc/sudoers is edited by visudo. You need to be root to edit this file.

One of my friends forwarded this joke and it is really hilarious. This blog is more about technical stuff. But once in a while a dose of humor is good for you. read on and laugh heartily

ENGLISH OF TOMORROW EU ANNOUNCEMENT The European Commission has just announced an agreement whereby English will be the official language of the European Union rather than German, which was the other possibility. As part of the negotiations, the British Government conceded that English spelling had some room for improvement and has accepted a 5- year phase-in plan that would become known as “Euro-English”. In the first year, “s” will replace the soft “c”. Sertainly, this will make the sivil servants jump with joy. The hard “c” will be dropped in favour of “k”. This should klear up konfusion, and keyboards kan have one less letter. There will be growing publik enthusiasm in the sekond year when the troublesome “ph” will be replaced with “f”. This will make words like fotograf 20% shorter. In the 3rd year, publik akseptanse of the new spelling kan be expekted to reach the stage where more komplikated changes are possible. Governments will enkourage the removal of double letters which have always ben a deterent to akurate speling. Also, al wil agre that the horibl mes of the silent “e” in the languag is disgrasful and it should go away. By the 4th yer people wil be reseptiv to steps such as replasing “th” with “z” and “w” with “v”. During ze fifz yer, ze unesesary “o” kan be dropd from vords kontaining “ou” and after ziz fifz yer, ve vil hav a reil sensi bl riten styl. Zer vil be no mor trubl or difikultis and evrivun vil find it ezi tu understand ech oza. Ze drem of a united urop vil finali kum tru. Und efter ze fifz yer, ve vil al be speking German like zey vunted in ze forst plas. If zis mad you smil, pleas pas on to oza pepl.

How often you wondered that a definition for a word from different dictionaries would have been better. Stop wondering. OneLook is for you. It is more than “words” search engine. It indexes words from various dictionaries and provides a comprehensive information about the word. For instance, it gives a quick definition, pronunciation audio clip and usage of the word in phrases. Please see the screenshot for the word “pleasant”

You can also use this tool to find a pattern consisting of letters and wild-cards * and ?, to find the words matching that pattern. This is really cool. For example, say, you want to find all the 4 letter words that start with ‘sh’ and ends with ‘t’ , then you would enter “sh?t”. This would produce the following result